General
-
Target
Pending Payment Notice.xll
-
Size
638KB
-
Sample
220121-bl1r2scfer
-
MD5
d86d39b83dd3306e7296a0d0dcb80cc1
-
SHA1
f5b791a3557d78cace3eec6ae18abde85ecb0ce5
-
SHA256
9c862fc58921af61605e29d2bc0c639af68492669a4928e5334cc48bda6b79af
-
SHA512
faa6c7caaa916342fd7e05cb45f1e3102630fde7d85526d2871d9eff2f930c8e301e562f9bec1c95c08bd614bd81920fdddb0483bcd92ca14f45c4e5d3ee3d5f
Static task
static1
Behavioral task
behavioral1
Sample
Pending Payment Notice.xll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Pending Payment Notice.xll
Resource
win10v2004-en-20220112
Malware Config
Extracted
lokibot
http://windowssecuritycheck.gdn/jx/l/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
pony
http://windowssecuritycheck.gdn/jx/p/gate.php
Targets
-
-
Target
Pending Payment Notice.xll
-
Size
638KB
-
MD5
d86d39b83dd3306e7296a0d0dcb80cc1
-
SHA1
f5b791a3557d78cace3eec6ae18abde85ecb0ce5
-
SHA256
9c862fc58921af61605e29d2bc0c639af68492669a4928e5334cc48bda6b79af
-
SHA512
faa6c7caaa916342fd7e05cb45f1e3102630fde7d85526d2871d9eff2f930c8e301e562f9bec1c95c08bd614bd81920fdddb0483bcd92ca14f45c4e5d3ee3d5f
-
suricata: ET MALWARE Generic .bin download from Dotted Quad
suricata: ET MALWARE Generic .bin download from Dotted Quad
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Sets service image path in registry
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-